Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

coondoggie writes "Protecting and classifying sensitive information such as social security numbers shouldn't be that hard, but (perhaps not surprisingly) the US government has elevated complicating that task to an art form. It seems that designating, safeguarding, and disseminating such important information involves over 100 unique markings and at least 130 different labeling or handling routines, reflecting a disjointed, inconsistent, and unpredictable system for protecting, sharing, and disclosing sensitive information."
This was the conclusion of a recent report (PDF) by the Government Accountability Office, which also "found areas where sensitive information is not fully safeguarded and thus may
remain at risk of unauthorized disclosure or misuse."

If you closely tag it to everything you do, you're doing it wrong. Unless they are a financial institution, tell em to shove it. Hell, it took my university until 2004 to figure out not to use that as a student ID number and encoded (without encryption) in the magstrip of the ID cards. Most places will allow you to get credit from them (like utilities) without it... if you ask.

What is the exact purpose of a SSN? In Australia, we have a tax file number (TFN), which seems equivalent. This is only used for taxation purposes. You would never use it for ID, unless you are identifying yourself to the tax department. You only give it to your bank if you earn interest, but you don't have to if you don't want to. Birth certificates are used as a baseline ID.

It was originally intended to be used only for purposes of tracking hours worked for social security benifits, and in fact the original social security act made it illegal to use it for any other purpose. Along came computers and relational databases and suddenly everyone needed a unique foreign key to keep records straight, the only record that was guaranteed to stay the same over time (mostly) was the SSN or TIN (social security number or taxpayer identification number). This made the SSN ideal for the primary foreign key and hence businesses and government both broke the law and used it to sort records, so much so that the law had to be amended to make it legal to use it as an identifier.

Are birth certificates serialized at the national level in Australia? Because in the US they are granted by the county health departments and there is no national system of tracking them. In fact prior to the IRS requiring SSN's to prove dependent status for minors it was not at all unusual to not have an SSN until your first legit job or turning 18 when males were required to get one for selective services (draft) purposes.

I believe they would be. I think they became federal in 86. But the number isn't used like an SSN. I believe the only time you would absolutely need a birth certificate is for your passport, TFN, welfare and a public health care card. All other things can be a mix of other stuff. For example, you could use a birth certificate to get a driver's licence, then use the driver's licence to get a bank account. So the bank doesn't have your birth certificate details.

Birth certificates are issued at the time/location of birth and registered at the state/territory level in Australia. They carry no succinct, unique identifier information suitable for use in foreign systems. As I suspect is the case in the US, getting states to do things in a consistent way is nigh on impossible. I can only imagine what a PITA dealing with umpteen hundreds of counties would be like.

Payrole is 1,000 times easier. There you have voluntary relationships (between firms). When the USG or even an organization of counties starts to standardize there are counties that will object just because they don't want to play nice.

There are counties with no roads, counties with less than 100 inhabitants,they don't all have an email address, etc.

I was thinking of the byzantine local, state, national, and international tax codes they have to deal with. Picture a company that straddles two counties and has employees working in different countries. EVERYONE wants a piece of the pie, and they don't go out of their way to make it easy.

Every so often, there's talk of issuing a national ID card in the US, which ends up portrayed as some sort of move towards a police state. I've never fully understood the reasoning on that -- among other things, given the lack of such a national ID, other documents are used in its place.

For instance, when one is officially hired for a job in the US, one is required to present their "I-9 documents" [wikipedia.org], to demonstrate that they are legally privileged to work in the US. That requirement is usually met with the co

I've never had that has a condition of being offered employment. It comes later once you start and they need to confirm that you are a citizen along with filling out your w4. I don't see how that's relevant. Hell I know foreign citizens that have jobs (legally).

You've never worked for T.J. Maxx where you had to have one at the time you fill out all your forms and they take a copy of your SS card and DL/ID (mandatory to have SS card according to T.J. Maxx policy, at least in 2k1).

The problem is that the SSN is so closely tagged to everything you do, just knowing it makes stealing an identity way too easy.

I'm not positive that's the problem -- as turbidostato pointed out, it's supposed to be an identification token, not a password. Trouble is, banks, CC companies, etc. commonly use this (perhaps coupled with something lame like DOB) as just that.

For example, from your clearly visible email address, I know you have a livejournal [livejournal.com] account (contains your birthdate, hometown, full name, etc.), you frequent Amazon [amazon.com] (which shows a picture of you, some personal info, etc.), and so forth -- all from a simple google search.

Thing is, I can't easily steal your identity, because you've only supplied your handle, but no password. I believe that's what turbidostato's saying; we should be able to talk about our SSN the same as our email address, as our handle and password should be (but aren't) separate.

"And SSN was only supposed to be used to track eligibility for SS benefits. Not for identification."

Do you mean that eligibility for SS benefits depends in some characteristic of the SSN, like being odd or prime? Of course it is an identity token!!! It's the means by which the Social Security identificates their subjects: you can *track* benefits because you can *identificate* beneficiaries by means of their SSN.

What you probably meant was that SSN was meant to be an identity token to be used only within

"The problem is that the SSN is so closely tagged to everything you do, just knowing it makes stealing an identity way too easy."

That's exactly my point. I could accept that common use of SSN would make nowadays for easy identity *tracking* but never identity *theft*, which is made so easy because you are using your SSN as an auth token, not an identity one.

No, identity theft is not because of SSN use as an auth token (not entirely anyway).

Identity theft is because your SSN is used as an identity token (at the employer level; not many employers will accept ID without having a copy of your SS card, some won't take anything but your DL/ID and SS card even if your SSN is on the DL/ID).

I keep my SSN card under lock and key and don't give it out unless I'm forced to (school, federal benefits such as pell grant, employment, banks). Unfortunately an increasing amount

"Identity theft is because your SSN is used as an identity token [...] I keep my SSN card under lock"

If it is not an authentication/authorization token, why do you try to keep it secret and under lock? And if it is not an identity token, whose identity is being stolen if not the one identified by that very SSN?

You identify yourself as 123-12-1234 (your SSN) and then you probe your authenticity... by knowing your own SSN. That's

You and I are apparently dealing with two different definitions of auth/identity token.

When I say authorization token, I'm talking about a password/phrase what have you. When I say it's an identity token I mean it's something used to identify you as you. Saying that the SSN hasn't become an identity token is to ignore the last 20+ years of it being used as such.

I'm not addressing anything else you said because you aren't making sense.

SSNs are used as an example. The real problem, alluded to in the article, is that the government attempts to classify personally sensitive, business sensitive, and military critical information (to name a few) under the same system. Unfortunately there is plenty of overlap and specific cases within these categories, resulting in a ridiculous number of labels - thereby resulting in mass confusion. However, this situation is often the case when one attempts to take a single system and apply it to such a wi

I'm with you. It's not just an "identification token": it's a *misused* identification token.

"Because not much more information than your social security number and your name are required to open a credit card account in your name".

Which is the real problem: an identification token -which your SSN certainly is, shouldn't be used that way. Just look around you: there's a world beyond USA and it seems it's only USA the one having problems with disclosed SSNs. H

Actually, no more than an SSN is required. I just searched Google on my SSN and turned up some interesting information, such my full name and that it was in use in New Mexico at one time, as well as my current location. I've never been to New Mexico. That could explain some recent phone calls concerning credit cards and addresses that I never lived at.

This is correct, the SSN is an identifier. (Yes, I know the card is marked not to use as identification, but that's different. The problem is that a secure transaction (on-line or off), requires an identifier and an authenticator. An identifier is like a username - it identifies who the party is. An authenticator is like a password - it attempts to confirm the entity supplying the identifier is the real one.

The problem is that the SSN is used as both identifier and authenticator, which is an inherent fl

Until the last couple of decades the Social Security Number in the US was only an identifier with NO financial value at all. It was an accounting identifier for the Social Security System initially, but had become a general "unique" identifier for many systems by the 1980's

It has not been that long ago that police departments all over the country would loan one an engraver with which you could permanently mark your valuable possessions so that, in the event of theft, they could be more easily returned to

Protecting and classifying the odd few petabytes that probably move daily in different formats across several hundred collecting agencies and several thousand user organizations is a tad more involved.

at least at the state level is the horrible pay for tech folks. Senior level positions that barely pay 49k. When I see ads in the local paper for state jobs that pay terrible and then read about data getting exposed, lost, etc. I'm not surprised.

Yeah, but then everyone bitches if they try to raise taxes... I mean, obviously, the solution is for governments to be more efficient with the money they do have, and to pay their people properly, but for some reason it's easier to cut people than programs...

Uh-huh. Except my first tech job out of college paid more than that. It's not a horrible salary, but I wouldn't consider a full-time job with pay that "low" unless there was something else spectacular about it.

I'd say it's a good salary. The key is to not spend every last penny on a giant house and useless things that you don't need. Lots of people would love making that much money each year. While they obviously can make more money, that's still a good salary.

This is not new. Sending young people with eg. language skills around the world or not vetting anyone ect is an old problem.
Low pay, very isolated, tending machines all day makes for unhappy young people. At best they get very drunk all the time. If not the KGB/FSB offers cash and a better life when rotated back home. Expansion during wars and time of need lets many people in who should never have been allowed.
On the outside you have that once in a generation 'press' types that do real work and are no

Your fellow citizens are asking you for this number every day, day in and day out, like it's nothing. The social security office will tell you not to give it to anyone except official government personnel and so on, but everybody wants it. I think for the most part, businesses are the culprits when it comes to stolen identity, not our government.

Well, duh. One side wants the government to do very little, while the other side wants the government to spend lots of money on stuff, so the politicians do as they're told and spend a lot of money getting nothing done.

Having read the article, and being a US Gov't employee, let me just say that Cooney has unnecessarily confused the issue. Some of the 50 examples he lists are duplicates ("1. SENSITIVE", "17. SENSITIVE (SENS)", "40. SENSITIVE BUT UNCLASSIFIED (SBU)" are all the same thing, as are "3. SBU-NF" and "4. SBU/ NOFORN", and several others). Many of the others are mixing apples and oranges. Items 5-9 deal with the data ownership, which is reasonably treated differently from "15. SOURCE SELECTION SENSITIVE" or "33. ATTORNEY CLIENT" information. Is the list Cooney presents absurd? Possibly. Could the Gov't marking system be simplified? Probably. But don't do it on the basis of this article.

not really. The US government is huge and (hold on to your hat) is actually reasonably efficient. Most of this efficiency comes from not making things completely uniform unless it helps a lot. So, the name given to things that are not subject to FOIA requests but are not classified is a good example. Why make one standard? Why not just let the department of energy call it "for official use only" and the department of state call it, "official use only." You could make a commission to argue over it and then f

I'm not really sure what your complaint is, or why it has to be. If DOE wants one set of restrictions and DOS wants another... so be it. If the interaction becomes a big deal, then let some high level committee spend time trying to figure it out. Until then, follow KISS.

I cannot see having 3 different types of 'Sensitive' can help efficiency at all.

Think of it this way:

- Your credit card information is sensitive , but you have to give it out to some people 'you think you can trust' in exchange for things you want. Once in a while you will get a new number and the old one will no longer be a coveted secret. Your credit is guarded under US law to limit your liability, but its a real pain when your card suddenly no longer works when you are out on a hot date.

Having multiple ways of marking something sensitive I can bet you comes from private industry. I bet Lockheed did it one way, Northrup did it another, and neither wanted to have to go back and fix all of their previous documents to conform to standards. So the government being accomodating said both would work. The big companies in industry have much more weight in things like this than the government does. The government just tries to reduce the number of markings, which is no easy task.

From the comments so far one would think the article was about SSNs. If you RTFA it's about procedures and bureacracy surrounding classified information including sometimes conflicting classifications used by different fedarl agencies. SSN was just an example for gods sake.

"Sensitive" is not "Classified". The GAO report listed only addressed slipshod contractor access to SBU (Sensitive, But Unclassified) information. Examples are business proprietary, attorney-client and personable identifiable information.

Once it hits "Secret" classification, the process is different and more stringent. "Top Secret" involves many (locked) hoops to jump thru for access. "Top Secret - SCI" is a major nightmare.

Honestly, you'll find very few accidental disclosures of Classified in

What about the Valery Plame scandal? There it turned out that all these white house officials had access to all this S/TS info and weren't really even paying attention to what was S and TS and didn't pay for it at all.

I am currently writing some software for an advertising company. They deal mainly in yellowpages type stuff.
They track over 100 attributes per item, for small cards with a few lines of text on them.
I predict they crater in 5 years tops.

Heck, they LOST (JUST LOST!) Billions of the stimulis money that they have no accounting for

It sounds awful, but frankly I think this fact is blown out of proportion. I occasionally lose the odd dollars in my own budget, which is MUCH less complex than the national budget. It's the same thing, just a bigger scale. Nothing so ridiculous about losing a few billion here or there when you're dealing with a budget of nearly 4 trillion dollars...Is it a good thing? No, not at all. But it's not something you should keep parroting anytime the subject of government comes up.

The DoD has issues with classifying data, yes, but they have to deal with some odd situations. A good example is a well known (publicly) Air Force project that I can't remember the acronym of but someone Googling could find it in a few minutes I'd imagine. This project used a 30 node Teradata system (NCR) with a combined total of 18TB (36TB if you count the mirror). None of the data was even classified as 'sensitive' on it's own, but after several years of gathering data it was decided by an audit that in a

Secrecy is horseshit. Document classification is horseshit. If something needs to be secret, don't put it into a document. If something needs to be secret and you know it, then don't tell anybody. Three can keep a secret if two are dead and the other is scared shitless about what will happen if he tells the secret. And notice the pronoun 'he' in the last sentence. For God's sake, if you are serious about keeping a secret, don't tell it to a woman.

How surprising can it be? Just look at all the bloody "geniuses" our schools put out. Eventually some of them go to work for Uncle Sam. Obviously there seem to be a lot of them in the Department of Education as well as other government sectors.

The Feds make a botch of nearly everything. The ONLY federal agencies that I think do a consistently good job are BLM, USFS, and NPS, and I think that's because they are the only agencies that really care about what they are doing. The
Marines also do a pretty good job...

"Promotion of new technologies to support declassification. Striking the critical balance between openness and secrecy is difficult but a necessary part of our democratic form of government. Striking this balance becomes more difficult as the volume and complexity of the information increases. Improving the capability of departments and agencies to identif

It states right on the
Social Security card [angelfire.com] that it is NOT to be used for identification, but for all intents and purposes, it is.The reason for security classifications is to protect the guilty.Politicians who are "in bed" with the oil companies, big pharma, the banksters, utilities, lobbyists, special interest groups. The
biggest lie [riotusa.org] stands as a testament to this truth.Why else would the videos of what really happened at the Pentagram have not been seen by anyone outside the "elite"?Questions about Ch

If you closely tag it to everything you do, you're doing it wrong. Unless they are a financial institution, tell em to shove it. Hell, it took my university until 2004 to figure out not to use that as a student ID number and encoded (without encryption) in the magstrip of the ID cards. Most places will allow you to get credit from them (like utilities) without it... if you ask.
http://www.linkmol.com/ [linkmol.com]